OpenSSH use (chave pública ou senha) + google authenticator

Navegue suas respostas
3

Eu quero permitir esses dois tipos de autenticação: chave pública + google authenticator OU senha + google authenticator.

Eu tenho o seguinte no meu sshd_config : 

AuthenticationMethods publickey,keyboard-interactive:pam password,keyboard-interactive:pam
UsePAM yes
ChallengeResponseAuthentication yes
PubkeyAuthentication yes
PasswordAuthentication yes

E no /etc/pam.d/ssh eu descomentei 

#@include common-auth and added auth required pam_google_authenticator.so

no final do arquivo.

A chave + rota de token ainda funciona, mas, por algum motivo, minha senha sempre é rejeitada com a mensagem "Acesso negado".

Descobri que sempre que eu defino UsePAM como "yes", a autenticação de senha falha. Não tem certeza porque?

Conteúdo do /etc/pam.d/sshd: (este arquivo parece muito longo para mim, mas foi apenas o padrão para o Ubuntu, talvez eu possa diminuir isso?) 

# PAM configuration for the Secure Shell service

# Standard Un*x authentication.
#@include common-auth

# Disallow non-root logins when /etc/nologin exists.
account    required     pam_nologin.so

# Uncomment and edit /etc/security/access.conf if you need to set     complex
# access limits that are hard to express in sshd_config.
# account  required     pam_access.so

# Standard Un*x authorization.
@include common-account

# SELinux needs to be the first session rule.  This ensures that any
# lingering context has been cleared.  Without this it is possible     that a
# module could execute code in the wrong domain.
session [success=ok ignore=ignore module_unknown=ignore default=bad]            pam_selinux.so close

# Set the loginuid process attribute.
session    required     pam_loginuid.so

# Create a new session keyring.
session    optional     pam_keyinit.so force revoke

# Standard Un*x session setup and teardown.
@include common-session

# Print the message of the day upon successful login.
# This includes a dynamically generated part from /run/motd.dynamic
# and a static (admin-editable) part from /etc/motd.
session    optional     pam_motd.so  motd=/run/motd.dynamic noupdate
session    optional     pam_motd.so # [1]

# Print the status of the user's mailbox upon successful login.
session    optional     pam_mail.so standard noenv # [1]

# Set up user limits from /etc/security/limits.conf.
session    required     pam_limits.so

# Read environment variables from /etc/environment and
# /etc/security/pam_env.conf.
session    required     pam_env.so # [1]
# In Debian 4.0 (etch), locale-related environment variables were moved to
# /etc/default/locale, so read that as well.
session    required     pam_env.so user_readenv=1     envfile=/etc/default/locale

# SELinux needs to intervene at login time to ensure that the process     starts
# in the proper default security context.  Only sessions which are intended
# to run in the user's context should be run after this.
session [success=ok ignore=ignore module_unknown=ignore default=bad]            pam_selinux.so open

# Standard Un*x password updating.
@include common-password

auth required pam_google_authenticator.so

Conteúdo do /etc/pam.d/common-auth: 

#
# /etc/pam.d/common-auth - authentication settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.).  The default is to use the
# traditional Unix authentication mechanisms.
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules.  See
# pam-auth-update(8) for details.

# here are the per-package modules (the "Primary" block)
auth    [success=1 default=ignore]  pam_unix.so nullok_secure
# here's the fallback if no module succeeds
auth    requisite           pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around 
auth    required            pam_permit.so
# and here are more per-package modules (the "Additional" block)
auth    optional            pam_cap.so 
# end of pam-auth-update config

Minha pergunta realmente se divide em: Como eu uso "UsePAM yes" junto com "AuthenticationMethods password". Talvez eu deva deletar essa pergunta e abrir uma nova?

    
por Timothy 02.02.2016 / 19:12

1 resposta

2

I found out that whenever I set UsePAM to yes, the password authentication fails. Not sure why?

A opção

UsePAM faz com que o método de autenticação password use o mesmo módulo PAM que você deseja usar para o segundo fator. É por isso que ele rejeita sua senha.

Esta é a resposta à sua pergunta, explicando "por que", mas não a solução completa "como torná-la melhor". Configurar essa combinação é complicado. Eu queria aprender como fazer isso de maneira simples e correta, mas tive tempo até agora. Mas estou aberto às suas ideias:)

    
por 02.02.2016 / 23:01

Tags

Desativar upload no vsftpd OpenVPN - como tornar visíveis os nomes dos clientes